SCCM Software Update Baseline

For all operating systems except Windows 10 and Server 2016 we start by creating a baseline. This will include all updates release from the beginning of time for a certain product so that we can insure the computers are fully patched before we start deploying monthly patches. The best way to create this baseline is by using search criteria like mine below:

Today is June 1st so June’s updates haven’t been released yet, and I also didn’t want to grab May’s updates as we will use May as an example of how to deploy the monthly release patches. After searching for the criteria we get a lot of results returned. I’m getting all Windows 7 64-bit updates released prior to May 1st that aren’t superseded, and aren’t expired. This returned 350 updates.

Now I will select all of these updates and add them to a Software Update Group:

With all of these updates added to a Software Update Group, we can now download and deploy them. The intention here is to deploy this Baseline of updates to ALL Windows 7 x64 devices in my environment to bring them all up to fully patched through May 1st, 2017. This catches all existing Windows 7 computers up, and any new ones that come online get fully patched as well. To deploy the Software Update Group we switch screens to Software Update Groups, right-click the group we would like to deploy, and choose Deploy.

This will launch the wizard to deploy this group. We will name the deployment Windows 7 – Baseline, and choose our collection of Windows 7 computers.

On the Deployment Settings screen, we will choose to deploy the updates as required so that they are automatically installed, and I’ll leave the Detail Level at the default.

On the Scheduling screen we can choose our schedule for deploying the updates. Typically you will leave the time set to Client Local Time. Next we’ll choose when to make the updates available for users to install from the Software Center on their own time, then we’ll choose the Installation Deadline when the updates will automatically install on our devices. In my case, I want both to be As Soon As Possible.

On the User Experience screen, we’ll first select the level of notification the end user sees about this deployment. Typically for Software Updates, I choose to only show notifications for computer restarts.

Under Deadline Behavior if we check the boxes it will ignore maintenance windows for Software Update Installation and System Restarts. If you don’t have maintenance windows or, have maintenance windows and want to honor them, don’t check these boxes.

Under Device Restart behavior, we can choose whether we want the devices to reboot at all. If you want the devices to install updates but not reboot automatically, check the box for the type of devices you’re deploying the updates for (Windows 7 = Workstations)

Embedded devices box is checked by default which is fine, most people don’t use Embedded Devices but leaving it checked won’t hurt anything

The last box asks whether you want the system to evaluate if there are additional updates available after a restart has occurred. Sure why not!

The Alerts screen I can choose my level of alerting for compliance.

Download Settings. If a computer can’t find updates on Distribution Points within it’s boundary, can the computer go to a Distribution Point outside of it’s boundary to download updates? Also, if the computer can’t find updates on any DP, can it go over the internet to Microsoft Updates and download them?

Distribution Points – Choose your Distribution Points or Distribution Point Group to distribute the Software Update package to

Choose to download the updates over the internet unless you’ve already downloaded them somewhere else.

Select your languages

Click Next through the rest of the screens.

Now SCCM will download, distribute, and deploy these updates. This is how we deploy a Baseline of updates that stay deployed for that Operating System. Next up we will discuss deploying the monthly released patches.